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Introduction 


The Information Commissioner is producing a direct marketing code 
of practice, as required by the Data Protection Act 2018. A draft of 
the code is now out for public consultation. 


The draft code of practice aims to provide practical guidance and 
promote good practice in regard to processing for direct marketing 
purposes in compliance with data protection and e-privacy rules. 
The draft code takes a life-cycle approach to direct marketing. It 
starts with a section looking at the definition of direct marketing to 
help you decide if the code applies to you, before moving on to 
cover areas such as planning your marketing, collecting data, 
delivering your marketing messages and individuals rights. 


The public consultation on the draft code will remain open until 4 
March 2020.The Information Commissioner welcomes feedback on 
the specific questions set out below. 


You can email your response to directmarketingcode@ico.org.uk 
Or print and post to: 


Direct Marketing Code Consultation Team 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation, please 
email the Direct Marketing Code team. 


Privacy statement 


For this consultation we will publish all responses received from 
organisations except for those where the response indicates that they 
are an individual acting in a private capacity (eg a member of the 
public). All responses from organisations and individuals acting in a 
professional capacity (eg sole traders, academics etc) will be published 
but any personal data will be removed before publication (including 
email addresses and telephone numbers). 


For more information about what we do with personal data please see 
our privacy notice 


Q1 Is the draft code clear and easy to understand? 


xX Yes 
No 


If no please explain why and how we could improve this: 


Generally, the draft code is clear to understand, but there are several areas where it can 
be improved to be as useful a resource as possible to help the BHF and the wider charity 
sector comply with GDPR and PECR in their direct marketing practice. 


We note that there is a shift away from the principle led guidance present in all earlier 
publications, towards a much more prescriptive framework. This move may result in 
organisations moving away from undertaking their own balancing exercises and not 
affording organisations the opportunity to judge what is reasonable. 


We also have concerns over some of the ‘good practice’ recommendations. Most obviously 
around getting ‘consent for all your direct marketing regardless of whether PECR requires 
it or not’. The inclusion of the recommendation to get consent is very likely to mean that 
organisations (and in particular charities) will read this as being the only real choice 
available and adopting a consent approach by default. This may not be in the best interests 
of the organisation or the data subjects. 


The word ‘unlikely’ is used 26 times in the draft code. The use of such wording makes it 
difficult for readers to interpret and apply. We recommend that if something is deemed 
‘unlikely’ in general terms, there should be at least two examples provided in specific areas 
to help organisations understand where it might be more likely to be fair. 


On occasions, the draft code is inconsistent in approach. For example, the draft code says 
that when determining whether a communication is service or marketing in nature “a key 
factor is likely to be the phrasing, tone and context”. Later in the draft code, it says that 
organisations cannot “avoid the direct marketing rules by simply using a neutral tone”. It 
would be helpful to have clarity around this. 


The examples in the draft code can help to illustrate points and put general assertions into 
context. However, we believe that the use of the examples could be enhanced. Often an 
example is given at the end of a section which tells you how an activity would not be likely 
to be compliant. The guidance would be hugely enhanced if the examples also included how 
that same activity could, potentially, be done fairly and lawfully. 


Q2 Does the draft code contain the right level of detail? (When 
answering please remember that the code does not seek to 
duplicate all our existing data protection and e-privacy guidance) 


X Yes 

O No 
If no please explain what changes or improvements you would like to 
see? 


On the whole yes. 


Q3 Does the draft code cover the right issues about direct marketing? 


xX Yes 
No 


If no please outline what additional areas you would like to see 
covered: 


Yes overall. 


However, we believe that consistency with existing ICO guidance needs to be addressed. 
The presentation of the current online guidance with its focus on accountability, good 
decision-making, an evidence-based approach, is much more helpful as a guide to help 
charities understand the legal requirements and adopt a principles-based approach based 
on fair and transparent practice. 


In addition, in our view the existing online ICO guidance dealing with the ‘Lawful basis for 
processing’ is much clearer for organisations. Explaining that no single basis is better or 
more important than the others gives a clearer and more accurate explanation of the law. 


Q4 Does the draft code address the areas of data protection and e- 
privacy that are having an impact on your organisation’s direct 
marketing practices? 


xX Yes 
No 


If no please outline what additional areas you would like to see covered 


Yes, it does overall but we have the following concerns specific to the BHF and the charity 
sector: 


Social Media and Consent - the draft code states “an individual may want as many 
people as possible to read their social media post but that does not mean they are agreeing 
to have that data collected and analysed to profile them to target your direct marketing 
campaigns.” Our view is that this assertion is too general to properly encompass all social 
media platforms and the different interactions across these platforms. Arguably, platforms 
like Facebook and Twitter have different functions, and users are likely to have different 
expectations of how their data may be used. It would be useful if the draft code could 
differentiate between social media platforms. 


Custom audience initiatives - the draft code says that it is likely that consent is the 
appropriate basis for advertising via custom audiences, as it is difficult to see how custom 
audience tools ‘would meet the three-part test of the legitimate interest basis’. A further 
explanation would be helpful to explain the reasoning for the ICO’s conclusion. 


Direct Marketing and Consent - The draft code recommends that organisations get 
consent for all direct marketing regardless of whether PECR requires it or not. This is at 
odds with the ICO’s current guidance on direct marketing which states that one legal basis 
is not necessarily superior to another. This recommendation could lead organisations to 
believe that they should obtain consent for all direct marketing (even where it is not legally 
required). 


Direct Marketing by post - the draft code implies that organisations will need to have a 
pre-existing relationship with an individual to send them marketing by post if relying upon 
the legitimate interest basis. However, under the GDPR and Data Protection Act 2018 
organisations can send post using legitimate interest, irrespective of whether they have a 
pre-existing relationship with the individual. Whilst the draft code provides some helpful 
guidance for organisations carrying out legitimate interest assessments in practice, the 
code should be clearer when explaining where legitimate interest can be used as the 
appropriate legal ground. 


Data matching/ profiling — the draft code says that organisations are unlikely to be able 
to justify tracking services to find the new addresses of individuals’ who have moved. For 
example, ICO states that a university would not be allowed to use a data broker to find 
updated address details for its alumni. This is a conservative view worthy of review in the 
consultation. 


Profiling — The ICO refers to types of profiling you consider to be ‘intrusive’ but it is unclear 
what the ICO regards as the threshold for this - particularly where it will be difficult to rely 
on legitimate interests because the profiling will not be in the reasonable expectations of 
data subjects. Philanthropists and high net worth individuals often expect an organisation 
to have conducted research on them. This element of expectation and informing supporters 
of profiling in an appropriate and timely fashion, should be included in the draft code. 


Tell a friend (refer a friend) campaigns- According to the guidance ‘tell a friend’ 
campaigns are hard to justify under PECR. The draft code says ‘it is very likely therefore 
that viral marketing and ‘tell a friend’ campaigns by electronic mail would breach PECR’. 


We believe that this could have unintended negative consequences on a whole range of 
charitable fundraising, campaigning, and service delivery work. We feel that the information 
on what is ‘incentivising vs instigating’ should be clearer. 


Q5 Is it easy to find information in the draft code? 


xX Yes 
No 


If no, please provide your suggestions on how the structure could be 
improved: 


Q6 Do you have any examples of direct marketing in practice, good or bad, 
that you think it would be useful to include in the code 


x! Yes 
No 


If yes, please provide your direct marketing examples: 


The draft code says that ‘any unusual or unexpected processing ought to be at the 
forefront of any layered privacy information’. An example as to how organisations can do 
this on a practical level would be helpful. 


The draft code says that where possible, organisations should provide granular consent 
options for different types of processing. But it also says that requests should be concise 
and easy to understand. It would be useful to have examples of how organisations could 
achieve both aims simultaneously. 


Q7 Do you have any other suggestions for the direct marketing code? 


In our opinion, the charity sector is over-represented in the examples given. 11% of the 
examples within the draft code relate to charities. This is a disproportionate number given 
the range of organisations and businesses that undertake direct marketing. We would like 
to see a wider range of examples considered. 


About you 


Q8 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

Kl On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


British Heart Foundation 


If other please specify: 


PT 


How did you find out about this survey? 


OQ 
Ne) 


ICO Twitter account 

ICO Facebook account 

ICO LinkedIn account 

ICO website 

ICO newsletter 

ICO staff member 

Colleague 

Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


Pd 


Thank you for taking the time to complete the survey 


Rs PM ea a a Ti el 


